Page created: 7 Sep 2021 |
Page updated: 16 Feb 2022
For general instructions, see Create an OpenID Connect IdP connection
- From the Authentication Selector screen in PingFederate, select the Add or Update AuthN Context Attributebox next to the PingAccess entry, update your selector result values to include Azure AD as an authentication requirement, and click Save. See Configure the Requested AuthN Context Authentication Selector.
- Ensure there is a path in your authentication policy tree to include your new authentication requirement for Azure, verify that you are fulfilling your policy contracts, and click Save. See Defining authentication policies and Define authentication policies based on group membership information.
- Under Authorization Server Settings, extend the persistent grant to map the Azure AD group into the OIDC token to PingAccess. See Define grant contract fulfillment for IdP adapter mapping.
- Extend the access token attribute contract to include groups, fulfill the persistent grants from the authentication policy contract, and fulfill the access token mapping with the persistent grant. See Configure policy and ID token settings.
- In your OIDC policy, map from the access token or perform any additional lookups against local data stores. See Configure IdP adapter attribute sources and user lookup.
Go to PingAccess and write a web session
attribute rule for the group membership to which the rule applies. See Configure session management.
Note:Apply this rule as needed for your specific use case, application, or API.
Azure AD does not provide friendly names for their groups and instead returns them as object IDs.PingAccess verifies group membership in Azure AD and uses this group membership to enforce medium-grained access control.